As of March 2025, we require encryption for all FTP connections to enhance security.
To facilitate this transition, cPanel's FTP service now supports Server Name Indication (SNI). This enhancement allows you to connect using your domain name or its FTP subdomain, rather than being restricted to the server's hostname. With SNI, the server can present the appropriate TLS certificate for your domain, preventing certificate mismatches that could cause FTP clients to refuse connections.
Important Note: While SNI is widely supported, some FTP clients may not fully support this feature. If you encounter issues, consider connecting using the server's hostname as an alternative.
When using FileZilla and connecting via your domain name, you might encounter the following warning:
This warning indicates that, for each file transfer, the client and server must establish a new TLS encryption session. FileZilla emphasizes this as a potential security risk, suggesting that file contents could be intercepted or altered. However, prior to the March 2025 update, unencrypted FTP connections posed similar risks without any warnings. Additionally, each connection and data transfer remains fully encrypted and FileZilla is the only FTP program that we're aware of that gives such a warning.
Recommendations:
-
Accept the Warning: You can safely check the box labeled "Always allow insecure data connections for this server in future sessions." Despite the wording, your data connections will still be encrypted and secure.
-
Use the Server Hostname: If you prefer not to accept the warning, connect using the server's hostname instead of your domain name. If you're unsure of the server hostname, please contact our support team for assistance.
-
Switch to sFTP: Alternatively, consider using sFTP (FTP over SSH) instead of FTPS (FTP with TLS encryption). Note that sFTP is only available for the primary cPanel user and not for additional FTP accounts you've created.
Before implementing the encryption requirement, FTP connections transmitted usernames, passwords, and data in clear text, posing significant security risks. The move to encrypted connections ensures that sensitive information, such as configuration files with database details, remains protected during transmission.
Alternative Option: sFTP (FTP over SSH)
Most FTP clients also support sFTP. We do not recommend that you try sFTP over FTPS in most cases.
sFTP is a completely different protocol than FTPS—it’s often called "FTP over SSH" because it uses an SSH-encrypted tunnel instead of the traditional FTP protocol. sFTP can be a great choice for security because it operates over a single port and uses robust SSH encryption and authentication methods.
- sFTP connects to port 2233 on our servers.
- It only works for the primary cPanel username.
- SSH is disabled by default; please contact us if you want SSH/sFTP enabled for your account.
Why Choose sFTP Over FTPS?
- Both encrypt data in transit, but SFTP uses SSH keys/credentials and a single port, which can simplify firewall settings, although this is rarely considered on the client side.
- FTPS remains widely supported and can be simpler to configure on some FTP clients, especially if were already using FTP.
Remote Path Differences:
When using sFTP, your root directory may differ from standard FTP. For example, instead of being placed directly in “public_html” or a similar folder, you will be placed in your home directory (e.g., /home/username). You can then navigate to the correct folder (e.g., /home/username/public_html) for uploading your site files. How you adjust this varies from sFTP client to sFTP client.
